From df5138660d51ee5c3585d155163ae29402c5f881 Mon Sep 17 00:00:00 2001
From: Sveneld <sveneld300@gmail.com>
Date: Sun, 26 Nov 2023 20:02:17 +0100
Subject: [PATCH] sql injection fix

---
 admin.php   |  9 ++++++++-
 command.php | 15 ++++++++++++---
 index.php   | 14 ++++++++++----
 scan.php    | 14 +++++++++++---
 4 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/admin.php b/admin.php
index 4a2fb31c..d89ab19e 100644
--- a/admin.php
+++ b/admin.php
@@ -7,7 +7,14 @@
 $db->connect();
 
 checksession();
-if (getprivileges($_COOKIE["loguserid"])<=0) exit(_('You need admin privileges to access this page.'));
+
+if (isset($_COOKIE["loguserid"])) {
+    $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"]));
+} else {
+    $userid = 0;
+}
+
+if (getprivileges($userid)<=0) exit(_('You need admin privileges to access this page.'));
 ?>
 <!DOCTYPE html>
 <html lang="en">
diff --git a/command.php b/command.php
index ded4283e..2423bbfc 100644
--- a/command.php
+++ b/command.php
@@ -6,9 +6,18 @@
 $db=new Database($dbserver,$dbuser,$dbpassword,$dbname);
 $db->connect();
 
-if (isset($_COOKIE["loguserid"])) $userid=$_COOKIE["loguserid"];
-else $userid=0;
-if (isset($_COOKIE["logsession"])) $session=$_COOKIE["logsession"];
+if (isset($_COOKIE["loguserid"])) {
+    $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"]));
+} else {
+    $userid = 0;
+}
+
+if (isset($_COOKIE["logsession"])) {
+    $session = $db->conn->real_escape_string(trim($_COOKIE["logsession"]));
+} else {
+    $session = '';
+}
+
 $action="";
 if (isset($_GET["action"])) $action=trim($_GET["action"]);
 
diff --git a/index.php b/index.php
index ef7d79cf..2bfbc449 100644
--- a/index.php
+++ b/index.php
@@ -43,10 +43,16 @@
 var mapzoom=<?php echo $systemzoom; ?>;
 var standselected=0;
 <?php
+if (isset($_COOKIE["loguserid"])) {
+    $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"]));
+} else {
+    $userid = 0;
+}
+
 if (isloggedin())
    {
    echo 'var loggedin=1;',"\n";
-   echo 'var priv=',getprivileges($_COOKIE["loguserid"]),";\n";
+   echo 'var priv=',getprivileges($userid),";\n";
    }
 else
    {
@@ -81,11 +87,11 @@
    <ul class="list-inline">
       <li><a href="<?php echo $systemrules; ?>"><span class="glyphicon glyphicon-question-sign"></span> <?php echo _('Help'); ?></a></li>
 <?php
-if (isloggedin() AND getprivileges($_COOKIE["loguserid"])>0) echo '<li><a href="admin.php"><span class="glyphicon glyphicon-cog"></span> ',_('Admin'),'</a></li>';
+if (isloggedin() AND getprivileges($userid)>0) echo '<li><a href="admin.php"><span class="glyphicon glyphicon-cog"></span> ',_('Admin'),'</a></li>';
 if (isloggedin())
    {
-   echo '<li><span class="glyphicon glyphicon-user"></span> <small>',getusername($_COOKIE["loguserid"]),'</small>';
-   if (iscreditenabled()) echo ' (<span id="usercredit" title="',_('Remaining credit'),'">',getusercredit($_COOKIE["loguserid"]),'</span> ',getcreditcurrency(),' <button type="button" class="btn btn-success btn-xs" id="opencredit" title="',_('Add credit'),'"><span class="glyphicon glyphicon-plus"></span></button>)<span id="couponblock"><br /><span class="form-inline"><input type="text" class="form-control input-sm" id="coupon" placeholder="XXXXXX" /><button type="button" class="btn btn-primary btn-sm" id="validatecoupon" title="',_('Confirm coupon'),'"><span class="glyphicon glyphicon-plus"></span></button></span></span></li>';
+   echo '<li><span class="glyphicon glyphicon-user"></span> <small>',getusername($userid),'</small>';
+   if (iscreditenabled()) echo ' (<span id="usercredit" title="',_('Remaining credit'),'">',getusercredit($userid),'</span> ',getcreditcurrency(),' <button type="button" class="btn btn-success btn-xs" id="opencredit" title="',_('Add credit'),'"><span class="glyphicon glyphicon-plus"></span></button>)<span id="couponblock"><br /><span class="form-inline"><input type="text" class="form-control input-sm" id="coupon" placeholder="XXXXXX" /><button type="button" class="btn btn-primary btn-sm" id="validatecoupon" title="',_('Confirm coupon'),'"><span class="glyphicon glyphicon-plus"></span></button></span></span></li>';
    echo '<li><a href="command.php?action=logout" id="logout"><span class="glyphicon glyphicon-log-out"></span> ',_('Log out'),'</a></li>';
    }
 ?>
diff --git a/scan.php b/scan.php
index ffb84c2d..20f39192 100644
--- a/scan.php
+++ b/scan.php
@@ -6,9 +6,17 @@
 $db=new Database($dbserver,$dbuser,$dbpassword,$dbname);
 $db->connect();
 
-if (isset($_COOKIE["loguserid"])) $userid=$_COOKIE["loguserid"];
-else $userid=0;
-if (isset($_COOKIE["logsession"])) $session=$_COOKIE["logsession"];
+if (isset($_COOKIE["loguserid"])) {
+    $userid = $db->conn->real_escape_string(trim($_COOKIE["loguserid"]));
+} else {
+    $userid = 0;
+}
+
+if (isset($_COOKIE["logsession"])) {
+    $session = $db->conn->real_escape_string(trim($_COOKIE["logsession"]));
+} else {
+    $session = '';
+}
 $request=substr($_SERVER["REQUEST_URI"],strpos($_SERVER["REQUEST_URI"],".php")+5);
 $request=explode("/",$request);
 $action=$request[0];